CLM 6.0.6.1 and TLS 1.2 connection to back-end MS SQL Server 2014 - Not working
We are running CLM 6.0.6.1 on Windows Server 2012 R2. The apps installed are JTS, CCM, DCC, GC, LDX, LQE, RELM, RM and RS. All of these run on one system.
On a separate Windows Server 2012 R2 server, we are running Microsoft SQL Server 2014 (SP3).
I have TLS 1.2 enabled on the back-end server and have verified that it is working properly. But when I try enabling TLS 1.2 on the front-end application server, I get the following errors in the logs:
Caused by: java.io.IOException: CRLQE0424E An error occured instantiating database, Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed.
JTS does start, but the admin page is blank (obviously because the applications can't start).
I have done the following in the settings -
1. In server.startup.bat, I have added this line:
set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols="TLSv1.2"
2. In the server.xml file, I have set the ciphers and TLS settings as follows:
<ssl enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
<ssl enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
Does anyone have any ideas as to what I could try next? Enabling TLS 1.2 is a requirement from the DOI/USGS and right now, I've had to put our systems in the deviations group in order to keep DNG working... But I've been banging my head against the wall trying to get this working and nothing is...
In addition, this is not a firewall issue or anything else along those lines. It's either a cipher related problem, or something to do with TLS 1.2.
Any help would be greatly appreciated!! Thanks in advance.
One answer
Disregard my previous question. I finally figured it out...
For anyone else having similar issues, here's what you need to change.
Again, this is on Windows but I'm sure you can translate it for Linux if needed! And this is assuming you have already disabled TLS 1.0 and TLS 1.1 on both the application server and the database server, as well as configured SQL Server to run with TLS 1.2 only...
In server.startup.bat, add the following two lines (or edit the connector to make it just 1.2):
set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols="TLSv1.2"
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.overrideDefaultTLS=true
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.overrideDefaultTLS=true
In server.xml, add the following:
<ssl enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
Kick the server and you should be good.